Test subject – PowerShell ransomware

This PowerShell ransomware variant is particularly dangerous because it bypasses conventional anti-malware tools and renders files unusable. It uses a legitimate process to run the file encryption, eluding application control, heuristics and sandbox detection techniques. At the time of the test, less than a quarter of the solutions (according to Virustotal.com) were able to identify this ransomware.

PowerShell ransomware test facts

The ransomware arrives as a java script email attachment. Upon opening the attachment, the java script starts the PowerShell.exe process and feeds it an embedded PowerShell script. Next, the legitimate process executes the PowerShell script and starts encrypting the files. TEMASOFT Ranstop detects the ransomware activity in several seconds and alerts the user. It stops the PowerShell process responsible for the encryption and, because it is a legitimate executable, it does not quarantine the file. The product restores the damaged files next, and performs a cleanup of the encrypted content.

PowerShell ransomware test results

TEMASOFT Ranstop successfully stopped this PowerShell ransomware and recovered the damaged files. The test resulted in zero file loss and no downtime.

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.